<html><head><title>Burp Scanner Report</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none';img-src 'self' data:;style-src 'unsafe-inline'" />
<style type="text/css">
body { background: #dedede; font-family: 'Droid sans', Helvetica, Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
#container { width: 930px; padding: 0 15px; margin: 20px auto; background-color: #ffffff; }
table { font-family: Arial, sans-serif; }
a:link, a:visited { color: #ff6633; text-decoration: none; transform: 0.3s; }
a:hover, a:active { color: #e24920; text-decoration: underline; }
h1 { font-size: 1.6em; line-height: 1.4em; font-weight: normal; color: #404042; }
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
h4 { font-size: 1.0em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: bold; color: #404042;}
.rule { height: 0px; border-top: 1px solid #404042; padding: 0; margin: 20px -15px 0 -15px; }
.title { color: #ffffff; background: #ff6633; margin: 0 -15px 10px -15px; overflow: hidden; }
.title h1 { color: #ffffff; padding: 10px 15px; margin: 0; font-size: 1.8em; }
.title img { float: right; display: inline; padding: 1px; }
.heading { background: #404042; margin: 0 -15px 10px -15px; padding: 0; display: inline-block; overflow: hidden; }
.heading img { float: right; display: inline; margin: 8px 10px 0 10px; padding: 0; }
.code { font-family: 'Courier New', Courier, monospace; }
table.overview_table { border: 2px solid #e6e6e6; margin: 0; padding: 5px;}
table.overview_table td.info { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.info_end { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; }
table.overview_table td.colour_holder { padding: 0px; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.colour_holder_end { padding: 0px; border-top: 2px solid #ffffff; }
table.overview_table td.label { padding: 5px; font-weight: bold; }
table.summary_table td { padding: 5px; background: #dedede; text-align: left; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.summary_table td.icon { background: #404042; }
.colour_block { padding: 5px; text-align: right; display: block; font-weight: bold; }
.high_certain { border: 2px solid #f00; background: #f00; }
.high_firm { border: 2px solid #f66; background: #f66; }
.high_tentative { border: 2px solid #fcc; background: #fcc; }
.medium_certain { border: 2px solid #f90; background: #f90; }
.medium_firm { border: 2px solid #ffc266; background: #ffc266; }
.medium_tentative { border: 2px solid #ffebcc; background: #ffebcc; }
.low_certain { border: 2px solid #fe0; background: #fe0; }
.low_firm { border: 2px solid #fff566; background: #fff566; }
.low_tentative { border: 2px solid #fffccc; background: #fffccc; }
.info_certain { border: 2px solid #ababab; background: #ababab; }
.info_firm { border: 2px solid #cdcdcd; background: #cdcdcd; }
.info_tentative { border: 2px solid #eee; background: #eee; }
.row_total { border: 1px solid #dedede; background: #fff; }
.grad_mark { padding: 4px; border-left: 1px solid #404042; display: inline-block; }
.bar { margin-top: 3px; }
.TOCH0 { font-size: 1.0em; font-weight: bold; word-wrap: break-word; }
.TOCH1 { font-size: 0.8em; text-indent: -20px; padding-left: 50px; margin: 0; word-wrap: break-word; }
.TOCH2 { font-size: 0.8em; text-indent: -20px; padding-left: 70px; margin: 0; word-wrap: break-word; }
.BODH0 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; padding: 10px 15px; margin: 0 -15px 10px -15px; display: inline-block; color: #ffffff; background-color: #ff6633; width: 100%; word-wrap: break-word; }
.BODH0 a:link, .BODH0 a:visited, .BODH0 a:hover, .BODH0 a:active { color: #ffffff; text-decoration: none; }
.BODH1 { font-size: 1.3em; line-height: 1.2em; font-weight: normal; padding: 13px 15px; margin: 0 -15px 0 -15px; display: inline-block; width: 100%; word-wrap: break-word; }
.BODH1 a:link, .BODH1 a:visited, .BODH1 a:hover, .BODH1 a:active { color: #404042; text-decoration: none; }
.BODH2 { font-size: 1.0em; font-weight: bold; line-height: 2.0em; width: 100%; word-wrap: break-word; }
.PREVNEXT { font-size: 0.7em; font-weight: bold; color: #ffffff; padding: 3px 10px; border-radius: 10px;}
.PREVNEXT:link, .PREVNEXT:visited { color: #ff6633 !important; background: #ffffff !important; border: 1px solid #ff6633 !important; text-decoration: none; }
.PREVNEXT:hover, .PREVNEXT:active { color: #fff !important; background: #e24920 !important; border: 1px solid #e24920 !important; text-decoration: none; }
.TEXT { font-size: 0.8em; padding: 0; margin: 0; word-wrap: break-word; }
TD { font-size: 0.8em; }
.HIGHLIGHT { background-color: #fcf446; }
.rr_div { border: 2px solid #ff6633; width: 916px; word-wrap: break-word; -ms-word-wrap: break-word; margin: 0.8em 0; padding: 5px; font-size: 0.8em; max-height: 300px; overflow-y: auto; }

div.scan_issue_false_positive_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image: url()}


@media print {
    body { width: 100%; color: #000000; position: relative; }
    #container { width: 98%; padding: 0; margin: 0; }
    h1 { color: #000000; }
    h2 { color: #000000;}
    .rule { margin: 20px 0 0 0; }
    .title { color: #000000; margin: 0 0 10px 0; padding: 10px 0; }
    .title h1 { color: #000000; }
    .title img { margin: -3px 0; }
    .heading { margin: 0 0 10px 0; }
    .BODH0 { color: #000000; }
    .BODH1 { color: #000000; }
    .PREVNEXT { visibility: hidden; display: none; }
    .rr_div { width: 98%; margin: 0.8em auto; max-height: none !important; overflow: hidden; }
}

</style>
</head>
<body>
<div id="container">
<div class="title"><img src="" width="184" height="58"><h1>Burp Scanner Report</h1></div>
<h1>Summary</h1>
<span class="TEXT">The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="4" height="40" align="center" class="label">Confidence</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="82" height="30" class="info">Certain</td>
        <td width="82" height="30" class="info">Firm</td>
        <td width="82" height="30" class="info">Tentative</td>
        <td width="82" height="30" class="info_end">Total</td>
    </tr>
    <tr>
        <td rowspan="4" valign="middle" class="label">Severity</td>
        <td class="info" height="30">High</td>
        <td class="colour_holder"><span class="colour_block high_certain">2</span></td>
        <td class="colour_holder"><span class="colour_block high_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block high_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">2</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Medium</td>
        <td class="colour_holder"><span class="colour_block medium_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Low</td>
        <td class="colour_holder"><span class="colour_block low_certain">4</span></td>
        <td class="colour_holder"><span class="colour_block low_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block low_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">4</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Information</td>
        <td class="colour_holder"><span class="colour_block info_certain">6</span></td>
        <td class="colour_holder"><span class="colour_block info_firm">7</span></td>
        <td class="colour_holder"><span class="colour_block info_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">13</span></td>
    </tr>
</table><br>
<span class="TEXT">The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="6" height="40" align="center" class="label">Number of issues</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="125"><span class="grad_mark">0</span></td>
        <td width="125"><span class="grad_mark">1</span></td>
        <td width="125"><span class="grad_mark">2</span></td>
        <td width="125"><span class="grad_mark">3</span></td>
        <td width="125"><span class="grad_mark">4</span></td>
    </tr>
    <tr>
        <td rowspan="3" valign="middle" class="label">Severity</td>
        <td class="info">High</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="250" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Medium</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Low</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="500" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
</table>

<div class="rule"></div>
<h1>Contents</h1>
<p class="TOCH0"><a href="#1">1.&nbsp;Cleartext submission of password</a></p>
<p class="TOCH1"><a href="#1.1">1.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#1.2">1.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH0"><a href="#2">2.&nbsp;Password submitted using GET method</a></p>
<p class="TOCH1"><a href="#2.1">2.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#2.2">2.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH0"><a href="#3">3.&nbsp;Unencrypted communications</a></p>
<p class="TOCH0"><a href="#4">4.&nbsp;Strict transport security not enforced</a></p>
<p class="TOCH0"><a href="#5">5.&nbsp;Cross-domain Referer leakage</a></p>
<p class="TOCH1"><a href="#5.1">5.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#5.2">5.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH1"><a href="#5.3">5.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</a></p>
<p class="TOCH1"><a href="#5.4">5.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</a></p>
<p class="TOCH1"><a href="#5.5">5.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli_blind/</a></p>
<p class="TOCH0"><a href="#6">6.&nbsp;File upload functionality</a></p>
<p class="TOCH0"><a href="#7">7.&nbsp;Frameable response (potential Clickjacking)</a></p>
<p class="TOCH1"><a href="#7.1">7.1.&nbsp;http://121.196.62.22:8082/vulnerabilities</a></p>
<p class="TOCH1"><a href="#7.2">7.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</a></p>
<p class="TOCH1"><a href="#7.3">7.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</a></p>
<p class="TOCH1"><a href="#7.4">7.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/exec/</a></p>
<p class="TOCH1"><a href="#7.5">7.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</a></p>
<p class="TOCH1"><a href="#7.6">7.6.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</a></p>
<p class="TOCH1"><a href="#7.7">7.7.&nbsp;http://121.196.62.22:8082/vulnerabilities/upload/</a></p>
<br><div class="rule"></div>
<span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00300100_cleartextsubmissionofpassword">Cleartext submission of password</a></span>
<br><a class="PREVNEXT" href="#2">Next</a>
<br>
<br><span class="TEXT">There are 2 instances of this issue:
<ul>
<li><a href="#1.1">/vulnerabilities/brute/</a></li>
<li><a href="#1.2">/vulnerabilities/csrf/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.</p>
<p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="1.1">1.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#1.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/vulnerabilities/brute/</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4855<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;/h2&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Username:&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="1.2">1.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#1.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#2.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://121.196.62.22:8082/vulnerabilities/csrf/</li></ul>The form contains the following password fields:<ul><li>password_new</li><li>password_conf</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:45 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4801<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;New password:&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_new"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_conf"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="2">2.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00400300_passwordsubmittedusinggetmethod">Password submitted using GET method</a></span>
<br><a class="PREVNEXT" href="#1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3">Next</a>
<br>
<br><span class="TEXT">There are 2 instances of this issue:
<ul>
<li><a href="#2.1">/vulnerabilities/brute/</a></li>
<li><a href="#2.2">/vulnerabilities/csrf/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Some applications use the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.</p>
<p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>All forms submitting passwords should use the POST method. To achieve this, applications should specify the method attribute of the FORM tag as <b>method="POST"</b>. It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/598.html">CWE-598: Information Exposure Through Query Strings in GET Request</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="2.1">2.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#1.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#2.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted using the GET method:<ul><li>http://121.196.62.22:8082/vulnerabilities/brute/</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4855<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;/h2&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Username:&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="2.2">2.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#2.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted using the GET method:<ul><li>http://121.196.62.22:8082/vulnerabilities/csrf/</li></ul>The form contains the following password fields:<ul><li>password_new</li><li>password_conf</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:45 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4801<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="#" method="GET"&gt;</span><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;New password:&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_new"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input type="password" AUTOCOMPLETE="off" name="password_conf"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="3">3.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000200_unencryptedcommunications">Unencrypted communications</a></span>
<br><a class="PREVNEXT" href="#2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue description</h2>
<span class="TEXT"><p>The application allows users to connect to it over unencrypted connections.  An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as hazardous.</p>
<p>
To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.
</p>
<p>Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure">Marking HTTP as non-secure</a></li>
<li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Configuring Server-Side SSL/TLS</a></li>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption Strength</a></li>
</ul></span>
<div class="rule"></div>
<span class="BODH0" id="4">4.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced">Strict transport security not enforced</a></span>
<br><a class="PREVNEXT" href="#3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>https://push.services.mozilla.com</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue description</h2>
<span class="TEXT"><p> The application fails to prevent users from connecting  to it over unencrypted connections.  An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool  automates this process. </p>
<p>
To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.</p>
<p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
<li><a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a></li>
<li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: push.services.mozilla.com<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: */*<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Sec-WebSocket-Version: 13<br>Origin: wss://push.services.mozilla.com/<br>Sec-WebSocket-Protocol: push-notification<br>Sec-WebSocket-Key: qjqyn2kvc2cxu81lNLDogQ==<br>Connection: keep-alive, Upgrade<br>Sec-Fetch-Dest: empty<br>Sec-Fetch-Mode: websocket<br>Sec-Fetch-Site: cross-site<br>Pragma: no-cache<br>Cache-Control: no-cache<br>Upgrade: websocket<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 101 Switching Protocols<br>Connection: Upgrade<br>Upgrade: websocket<br>Sec-WebSocket-Accept: bkfZCuhT7TvLvTHy1C0OvD11ORk=<br>Date: Fri, 22 Sep 2023 15:34:37 GMT<br>Via: 1.1 google<br>Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000<br><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="5">5.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500400_crossdomainrefererleakage">Cross-domain Referer leakage</a></span>
<br><a class="PREVNEXT" href="#4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6">Next</a>
<br>
<br><span class="TEXT">There are 5 instances of this issue:
<ul>
<li><a href="#5.1">/vulnerabilities/brute/</a></li>
<li><a href="#5.2">/vulnerabilities/csrf/</a></li>
<li><a href="#5.3">/vulnerabilities/fi/</a></li>
<li><a href="#5.4">/vulnerabilities/sqli/</a></li>
<li><a href="#5.5">/vulnerabilities/sqli_blind/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.</p>
<p>If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.</p>
<p>You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.</p>
<p>Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behavior should not be relied upon to protect the originating URL from disclosure.</p>
<p>Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties. If placing sensitive information in the URL is unavoidable, consider using the Referer-Policy HTTP header to reduce the chance of it being disclosed to third parties.
</p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy">Referer Policy</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="5.1">5.1.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#2.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/brute/</li></ul>The response contains the following links to other domains:<ul><li>https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)</li><li>http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html</li><li>http://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/?username=&amp;password=&amp;Login=Login HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/brute/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:39 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4907<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)" target="_blank"&gt;</span>https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)&lt;/a&gt;<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html" target="_blank"&gt;</span><span class="HIGHLIGHT"></span>http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html&lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="5.2">5.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#5.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/csrf/</li></ul>The response contains the following links to other domains:<ul><li>https://en.wikipedia.org/wiki/Cross-site_request_forgery</li><li>http://www.cgisecurity.com/csrf-faq.html</li><li>https://www.owasp.org/index.php/Cross-Site_Request_Forgery</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/?password_new=123&amp;password_conf=123&amp;Change=Change HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/csrf/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:49 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4829<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery " target="_blank"&gt;</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span>https://en.wikipedia.org/wiki/Cross-site_request_forgery &lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="5.3">5.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</span>
<br><a class="PREVNEXT" href="#5.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/fi/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/fi/</li></ul>The response contains the following links to other domains:<ul><li>https://en.wikipedia.org/wiki/Remote_File_Inclusion</li><li>https://www.owasp.org/index.php/Top_10_2007-A3</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/fi/?page=include.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4393<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://en.wikipedia.org/wiki/Remote_File_Inclusion" target="_blank"&gt;</span>https://en.wikipedia.org/wiki/Remote_File_Inclusion&lt;/a&gt;<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="https://www.owasp.org/index.php/Top_10_2007-A3" target="_blank"&gt;</span>https://www.owasp.org/index.php/Top_10_2007-A3&lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="5.4">5.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</span>
<br><a class="PREVNEXT" href="#5.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5.5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/sqli/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/sqli/</li></ul>The response contains the following links to other domains:<ul><li>http://bobby-tables.com/</li><li>https://en.wikipedia.org/wiki/SQL_injection</li><li>http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/</li><li>http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet</li><li>https://www.owasp.org/index.php/SQL_Injection</li><li>http://www.securiteam.com/securityreviews/5DP0N1P76E.html</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli/?id=123&amp;Submit=Submit HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/sqli/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:35:00 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5011<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="http://bobby-tables.com/" target="_blank"&gt;</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span>http://bobby-tables.com/&lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="5.5">5.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli_blind/</span>
<br><a class="PREVNEXT" href="#5.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.1">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/sqli_blind/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page was loaded from a URL containing a query string:<ul><li>http://121.196.62.22:8082/vulnerabilities/sqli_blind/</li></ul>The response contains the following links to other domains:<ul><li>http://bobby-tables.com/</li><li>https://en.wikipedia.org/wiki/SQL_injection</li><li>http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/</li><li>http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet</li><li>https://www.owasp.org/index.php/Blind_SQL_Injection</li><li>http://www.securiteam.com/securityreviews/5DP0N1P76E.html</li></ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli_blind/?id=123&amp;Submit=Submit HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/sqli_blind/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Fri, 22 Sep 2023 15:35:05 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Content-Length: 5099<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;li&gt;<span class="HIGHLIGHT">&lt;a href="http://bobby-tables.com/" target="_blank"&gt;</span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span><span class="HIGHLIGHT"></span>http://bobby-tables.com/&lt;/a&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="6">6.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500980_fileuploadfunctionality">File upload functionality</a></span>
<br><a class="PREVNEXT" href="#5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/upload/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form which is used to submit a user-supplied file to the following URL:<ul><li>http://121.196.62.22:8082/vulnerabilities/upload/</li></ul>Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>File upload functionality is commonly associated with a number of vulnerabilities, including:</p>
<ul>
<li>File path traversal</li><li>Persistent cross-site scripting</li><li>Placing of other client-executable code into the domain</li><li>Transmission of viruses and other malware</li><li>Denial of service</li></ul>
<p>You should review file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.</p>
<p>Some factors to consider when evaluating the security impact of this functionality include:</p>
<ul>
<li>Whether uploaded content can subsequently be downloaded via a URL within the application.</li><li>What Content-type and Content-disposition headers the application returns when the file's content is downloaded.</li><li>Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.</li><li>Whether the application performs any filtering on the file extension or MIME type of the uploaded file.</li><li>Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).</li><li>What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.</li><li>Whether archive formats such as ZIP are unpacked by the application.</li><li>How the application handles attempts to upload very large files, or decompression bomb files.</li></ul></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:</p>
<ul>
<li>Use a server-generated filename if storing uploaded files on disk.</li><li>Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.</li><li>Enforce a whitelist of accepted, non-executable file extensions.</li>
<li>If uploaded files are downloaded by users, supply an accurate non-generic Content-Type header, the X-Content-Type-Options: nosniff header, and also a Content-Disposition header that specifies that browsers should handle the file as an attachment.</li>
<li>Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration).</li><li>Reject attempts to upload archive formats such as ZIP.</li></ul></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://github.com/cure53/H5SC/tree/master/attachments">Various proof-of-concept files</a></li>
<li><a href="http://labs.detectify.com/post/120088174539/building-an-xss-polyglot-through-swf-and-csp">An XSS polyglot attack</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/upload/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/csrf/?password_new=123&amp;password_conf=123&amp;Change=Change<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:51 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4726<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br>&lt;br /&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;input name="uploaded" type="file" /&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="7">7.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking">Frameable response (potential Clickjacking)</a></span>
<br><a class="PREVNEXT" href="#6">Previous</a>
<br>
<br><span class="TEXT">There are 7 instances of this issue:
<ul>
<li><a href="#7.1">/vulnerabilities</a></li>
<li><a href="#7.2">/vulnerabilities/brute/</a></li>
<li><a href="#7.3">/vulnerabilities/csrf/</a></li>
<li><a href="#7.4">/vulnerabilities/exec/</a></li>
<li><a href="#7.5">/vulnerabilities/fi/</a></li>
<li><a href="#7.6">/vulnerabilities/sqli/</a></li>
<li><a href="#7.7">/vulnerabilities/upload/</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.</p>
<p>Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.</p>
<p>You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>To effectively prevent framing attacks, the application should return a response header with the name <b>X-Frame-Options</b> and the value <b>DENY</b> to prevent framing altogether, or the value <b>SAMEORIGIN</b> to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.</p></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options">X-Frame-Options</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693: Protection Mechanism Failure</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="7.1">7.1.&nbsp;http://121.196.62.22:8082/vulnerabilities</span>
<br><a class="PREVNEXT" href="#5.5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">This issue was found in multiple locations under the reported path.</span>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli_blind/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/sqli/?id=&amp;Submit=Submit<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:35:04 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5051<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.2">7.2.&nbsp;http://121.196.62.22:8082/vulnerabilities/brute/</span>
<br><a class="PREVNEXT" href="#7.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/brute/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/brute/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4855<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.3">7.3.&nbsp;http://121.196.62.22:8082/vulnerabilities/csrf/</span>
<br><a class="PREVNEXT" href="#7.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/csrf/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/csrf/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/exec/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:45 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4801<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.4">7.4.&nbsp;http://121.196.62.22:8082/vulnerabilities/exec/</span>
<br><a class="PREVNEXT" href="#7.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/exec/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/exec/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4699<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.5">7.5.&nbsp;http://121.196.62.22:8082/vulnerabilities/fi/</span>
<br><a class="PREVNEXT" href="#7.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/fi/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/fi/?page=include.php HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4393<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.6">7.6.&nbsp;http://121.196.62.22:8082/vulnerabilities/sqli/</span>
<br><a class="PREVNEXT" href="#7.5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#7.7">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/sqli/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/sqli/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/captcha/<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:31 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 5011<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="7.7">7.7.&nbsp;http://121.196.62.22:8082/vulnerabilities/upload/</span>
<br><a class="PREVNEXT" href="#7.6">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://121.196.62.22:8082</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/vulnerabilities/upload/</b></td>
</tr>
</table>
<h2>Request</h2>
<div class="rr_div"><span>GET /vulnerabilities/upload/ HTTP/1.1<br>Host: 121.196.62.22:8082<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br>Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br>Accept-Encoding: gzip, deflate<br>Connection: close<br>Referer: http://121.196.62.22:8082/vulnerabilities/csrf/?password_new=123&amp;password_conf=123&amp;Change=Change<br>Cookie: PHPSESSID=lc9r41g3fktjltmqj2v1odgjm7; security=low<br>Upgrade-Insecure-Requests: 1<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Fri, 22 Sep 2023 15:34:51 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 4726<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content-T<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="TEXT"><br>Report generated by Burp Suite <a href="https://portswigger.net/vulnerability-scanner/">web vulnerability scanner</a> v2020.2, at Fri Sep 22 23:36:00 CST 2023.<br><br></span>
</div>
</body>
</html>
